Dailydave mailing list archives

Re: Vuln scoring system anyone?

From: Brian Erdelyi <brian_erdelyi () yahoo com>
Date: Tue, 1 Mar 2005 08:46:16 -0800 (PST)

I just think it was a bit confusing when presented
without supporting 
text. Maybe you could make it a web app instead of a
Excel spreadsheet. :>


It took me a little time to find the actual report
explaining the variables and formula.  It was at that
point I created the tool.

A web app will be my next version.

Hmm. I guess my point here is that vendors are very
bad places to get 
your vulnerability information. When we release a


Assuming base score of 10.  No patch and vuln is not
acknowledged by vendors.
Exploitability  High
Remediation Level       Unavailable
Report Confidence       Uncorroborated
Temporal Score  9.5

Once acknowledged by vendor:
Exploitability  High
Remediation Level       Unavailable
Report Confidence       Confirmed
Temporal Score  10

Once patched by vendor:
Exploitability  High
Remediation Level       Official Fix
Report Confidence       Confirmed
Temporal Score  8.7

If vendor confirmation and patch are simultaneous then
the vuln was scored higher before confirmed.  I think
this is reasonable (though I think vendors should
confirm the vuln and provide a temporary fix or
workaround before making a patch available).

The other thing that wasn't answered for me by the
presentations was: 
What makes this set to metrics more special than
other metrics? Is it 
just buy in from the vendors? Is there some sort of
test we can run that 
will demonstrate it's usefulness over others?


Vendor support and an open methodology are significant
differentiators.  I think it's too soon to test it's
usefulness over others.  Considering the media
attention it's been getting this can help improve
awaress and adoption.  I expect vendors of
vulnerability assessment tools will be quick to
incorporate this score.

I think this will benefit Nessus since signature
authors now have a a more consistent way to score the
vulnerability they are testing for.

I think there is a risk of many vulns being scored
"middle of the road" with small variances in values. 
It may be difficult to put it in perspective.  I think
I'd like to see how a few of the high-profile
vulnerabilities score and compare with each other.

Brian Erdelyi


                
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail 
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Vuln scoring system anyone? security curmudgeon (Feb 26)
- Re: Vuln scoring system anyone? Adam Shostack (Feb 28)
- <Possible follow-ups>
- RE: Vuln scoring system anyone? Kevin Greene (Feb 26)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
  - Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
    - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
    - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
    - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Blue Boar (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Oliv (Mar 02)
    - Re: Vuln scoring system anyone? Tom Parker (Mar 02)
    - Re: Vuln scoring system anyone? Jason (Mar 02)

(Thread continues...)